[clamav-users] Win.Exploit.CVE_2017 in user32.dll
Hello, A clamscan running from Linux on a Windows disk (mounted on /mnt ) produced the following results: /mnt/Windows/System32/user32.dll: Win.Exploit.CVE_2017_8689-6336853-0 FOUND /mnt/Windows/SysWOW64/user32.dll: Win.Exploit.CVE_2017_8689-6336853-0 FOUND There were other occurrences of the same signature in /mnt/Windows/WinSxS/Backup/ and /mnt/Windows/WinSxS/Temp/ but on a reboot to Windows and running Windows Defender, then back to Linux rerunning the clamscan, these seem to come and go, on different occurrences of user32.dll, in these backup/temporary folders. The occurrences in the two first folders I mentioned above do however persist. I also got these two other persistent detections: /mnt/Windows/WinSxS/FileMaps/$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms: Win.Trojan.Emotet-6340301-0 FOUND /mnt/Windows/WinSxS/FileMaps/$$_syswow64_windowspowershell_v1.0_19ae85881f1c4f2d.cdf-ms: Win.Trojan.Emotet-6340301-0 FOUND Given what I read on the list about Win.Exploit.CVE_2017 being (mostly?) an Excel file infection and deemed a couple of times as a false positive, as well as with those two trojan detections in files which names seem related to the above Win.Exploit.CVE_2017 files' detections (system32 and syswow64), I'm not sure what do make of any of these detections. Your help would be appreciated. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Are Win.Trojan.Shopperz and Win.Trojan.Uztuby-3 false positives?
i was going to do the report as you suggested but someone else seems to have beaten me to it. Clamscan on VirusTotal now reports it as clean as does my local instance of clamscan and dnsapi.dll. - JD - Às 19:30 de 17-02-2016, Al Varnell escreveu: > Then you need to report that as a False Positive by uploading dnsapi.dll to > http://www.clamav.net/reports/fp. If you joint the clamav-virusdb list you > will be notified when it’s been taken care of. > > -Al- > > > > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Are Win.Trojan.Shopperz and Win.Trojan.Uztuby-3 false positives?
Thank you for the answer, Joel Although I wouldn't be surprised myself to learn an ISP included Adware in something they provided for free, Shopperz was not the one found on my free copy of Panda Antivirus Pro, it was Uztuby-3 (Shopperz was on dnsapi.dll).That being said, I had previously downloaded and executed the said Panda installer on my Windows system and indeed I noticed the logo of my ISP on Panda's window. I opted out of receiving third party offers and such when I first signed with this ISP but I guess otherwise that area on Panda's window might be used to show advertisements. And I believe this would classify it as Adware but what is actually reported by ClamAV is a Trojan.I'm not al all savy on these matters but wouldn't a Trojan pose a greater risk than the mere disply of (possibly unwanted) ads on one program?I did contact my ISP about this and their response (no verbal communication towards me whatsoever) was to remove the free license I had previously activated from my account management webpage. I can still access it and I redownloaded the file which remains unchanged. Concerning the Shopperz detection, I got it on a Windows system file ( C:\Windows/System32/dnsapi.dll ) and the its full name is: Win.Trojan.Shopperz-381dnsapi.dll is a Windows system file without which Windows will not connect to the Internet (at least on my WiFi setup).ClamAV also detected Sopperz-381 on the same file, in a different location (cached?) on the same Windows system: Windows/WinSxS/amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.10586.0_none_22114c18cd7ccd17/dnsapi.dllThe first time I ran ClamAV on these files (first scan = detection) was immediately after installing Windows 10 from a DVD burned with an ISO file downloaded from Microsoft's site. After my first login to that Windows system I rebooted to a Linux Live DVD (NO network connection was made until after booting Linux - which I performed in order to install ClamAV and run freshclam).VirusTotal thinks it's "probably harmless" but Antiy-AVL agrees with ClamAV that it contains a Trojan:https://www.virustotal.com/en/file/b51a82ed2d45855ea9018b6269931ca62f3dc430fd513c7e751fc2cb76014bab/analysis/1455724650/FYI at least since version 8 of Windows, there is this Microsoft Shop application that enables you to download free/bought software - I'm guessing there might me some code in dnsapi.dll facilitating that feature. Hope that helps. On Tuesday, February 16, 2016 10:13 PM, Al Varnell wrote: Without the exact name of the Shopperz infection, I can’t tell you whether it’s a recent definition or an old one. There are currently 351 such signatures. The Uztuby-3 was added to the database on 30 Jan 2016 04-36 -0500 in daily:21324, so it’s been there for a couple of weeks. It would not surprise me to learn that an ISP was providing something for free that included Adware. I’m sure that’s what Shopperz’s are. -Al- -- ClamXav User On Feb 16, 2016, at 12:25 PM, Jean-D. Ackle wrote: > Hello, > > So... it seems I've been a "victim" of last week's False Positives... > First I got so many files on a Windows partition "infected" by the > Bancos trojan (detected by clamscan running from Linux) I quickly > concluded that particular Windows setup was gone. I just noticed someone > on the list saying it was a FP... > So then, I used my OEM recovery disks to reinstall the system and I > "found out" the newly installed system with which I had NOT connected to > the Internet yet was already infected by... Win.Trojan.Ramnit... > > I had already installed Windows 10 downloaded from Microsoft when I > learned about Ramnit's likelihood to be a FP. And... again without > connecting to the Internet, Windows 10, particularly in dnsapi.dll seems > already infected by Win.Trojan.Shopperz. After a little reading around > the Internet I'm getting to think this is yet another FP. > > Being that the FPs handling system in ClamAV seems to be a bit > stalled... I would actually risk going ahead with disregarding it as > such but ... I want an on-access virus scanner on Windows. My ISP > happens to recently have made available a free subscription to Panda > Antivirus and I'd like to take on that offer. But the downloaded > installer is reported by ClamAV as infected. > I uploaded it to VirusTotal and this was the result: > https://www.virustotal.com/en/file/f183a4a6cd5afc5f134bd718dffa3e79d7a5aa6c501b7a792eaf37903f454f55/analysis/1455647361/ > (only ClamAV reports it as infected and there is no conclusive answer > otherwise). > > So, I'd appreciate some advice on whether I'd likely be OK with > proceeding to connect to the Internet with the already installed Windows > 10 and said Panda Antivirus to be installed prior to connecting to the > Internet. > Also, if there is anything I might help with (as far as submitting files > is concerned (I'm hardly knowledgeable enough for anything else), please > let me know. > > Re
Re: [clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770
On Wed, 7/22/15, G.W. Haywood wrote: Subject: Re: [clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770 To: clamav-users@lists.clamav.net Date: Wednesday, July 22, 2015, 5:45 PM Hi there, On Wed, 22 Jul 2015, JD Ackle wrote: > I would like to know how can I remove Docx.Exploit.CVE_2015_1770 > from Windows/System32/config/SOFTWARE As others have said, you might have found a false positive. You need to find out if that is the case or not before you do anything else. If it is not a false positive but a real infection, then the ClamAV users' mailing list cannot really help you with your question. ClamAV tells you if it thinks that it has found something. It is up to you to decide what to do about it. You *can* choose to delete files if they are flagged by ClamAV, but in general that is not recommended; and as /Windows/System32/config/SOFTWARE is one of Windows' registry files, it will certainly damage your Windows installation if you delete it. There are many Internet help sites and similar which can help you with your question. Reading the rest of your message tells me that you need something. :) For self-help I personally recommend MalwareBytes Anti-Malware (MBAM). If you download it, be careful where you get it from. Some Websites have been seen to include malicious software with the download. Thank you for your advice, GW. I tried MBAM and it reported NO infections. However, the first run did crash the program, so I then used another tool provided by MBAM that stated that sometimes the main program may be prevented from running by viruses and that's what the other tool was meant to solve - it did run alright and reported no threats but... I then had Norton doing a scan and it found some tracking cookies in Firefox which is a tad odd on two accounts: 1) Norton had never complained about these before (but it might just be a new setting included with later updates...?) and 2) I have Firefox configured to "Keep cookies until I close Firefox" (which doesn't necessantly mean they are removed from the hard disk, maybe they'll just no longer be used again by Firefox after the program quits...?). Finally, I thought I might as well install the latest security update from Microsoft (which I was postponing for a couple days to have it installed on a clean(er) system). And then... the latest results from ClamAV run from Linux: - "/Windows/System32/config/" (where the previouly infected "SOFTWARE" file's located) is now CLEAN! - "/pagefile.sys" however is now clean of "Docx.Exploit.CVE_2015_1770" but is reportedly infected by "Exploit.Countdown" on every Remove-said-file-from-within-Linux->Reboot_to_Windows->Reboot-to-Linux-and-run-ClamAV-again. I had actually forgotten about this report when I told the "full story" earlier. This positive was detected at the time I had the Tenga virus and it was after removing the Tenga virus that the Docx.Exploit.CVE_2015_1770 started being detected. I am currently doing a new full ClamAV scan of my Windows partition to try and check if something new comes up. Thus far only pagefile.sys was reported with said "Exploit.Countdown" and ... a few warning messages that don't reference any particular file have come up as well: "LibClamAV Warning: cli_scanicon: found 1 invalid icon entries of 1 total" (eight times thus far on the current scan, all of them before the pagefile.sys detection) I have no idea what that means but I've noticed it happens every time I run a scan on a Windows folder (i.e. on more than one file at a time) and never when scanning a Linux folder. Just telling all this on this list because I'm not that sure these are false positives at the moment - hence no point in submiting anything to that list... I will look for help elsewhere, probably will start off at Microsoft Answers. If something comes up which I think might be relevant to ClamAV, I'll reply back on this thread. Thanks to all that replied. J.D. Ackle ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770
On Wed, 7/22/15, Noel Jones wrote: I would suspect a false positive if a MS Office document virus is reported in anything other than an MS Office document. Thank you for the reply, Noel. Should I submit the concerrning files to the False Positives list then? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770
Hello, Currently, ClamAV run from Linux reports Docx.Exploit.CVE_2015_1770 in my Windows 8.1 install, in files: - pageFile.sys - Windows/System32/config/SOFTWARE (a piece of the Windows registry) If I understand it correctly, pageFile.sys works much like a Linux swap, hence basically containing RAM dumps. After removing the file from the Windows system and booting to it I noticed Windows just made a new one when needed, as I expected. Thus I am actually using that file as a checkpoint to track whether the system is clean or not - whether the virus appears in the volatile memory when Windows is run. When I first noticed the infection, pageFile.sys did not get infected upon a Windows startup without logging on a user (it would however otherwise, regardless of whether the user was and administrator or a regular one). I noticed the infection on Windows/System32/config/SOFTWARE later and moved it to Linux to try and fix it - even though I was not really sure how to do it. Upon giving up on the later plan I simply tried booting onto Windows which failed. Since copying the SOFTWARE file back in, pageFile.sys now becomes infected even if I don't logon any user. I presume the reason for this may be that the file lost its Windows permission upon being copied to my Linux install and is now world-accessible, thus being run by the system even before an allowed user is logged on...? On another hand, I am hesitant to consider this a false positive as ClamAV did detect another virus in my Windows system: - Program Files (x86)/Hewlett-Packard/Shared/WizLink.exe: Win.Worm.Tenga-113 FOUND I don't need that file at all, so I simply deleted and no further infections of that virus have been detected since. My Windows install was running considerably slow (specially network-related tasks) before removing that file and seems to have picked back up on its speed, so I am assuming the said virus was indeed, at least for the most common use of that system, been removed. However, I'm not sure whether this worm and the Docx.Exploit.CVE_2015_1770 are not related...? No other infections were detected by ClamAV on the affected system and Norton Internet Security, which I have installed and running on Windows, doesn't seem to have ever noticed anything. So that's basically the full story. At this moment, I would like to know how can I remove Docx.Exploit.CVE_2015_1770 from Windows/System32/config/SOFTWARE (any particular key or value I should be looking for?), so that I'm sure it's not its loading into RAM at startup that's making its signature appear on /pageFile.sys. Thanks in advance, JD Ackle ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
